←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
67 points xlmnxp | 1 comments | 22 Oct 25 08:37 UTC | HN request time: 0s | source
Show context
tptacek ◴[22 Oct 25 13:01 UTC] No.45668433[source]
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #
slightwinder ◴[22 Oct 25 13:41 UTC] No.45669023[source]
Every door you close, is one less someone can break.

Every complex services running, is a door someone can potentially break. Even with the most secure and battle tested service, you never know where someone fucked up and introduced an exploit or backdoor. Happened too often to be not a concern. XZ Utils backdoor for example was just last year.

> Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

If there is no harm, who cares...

replies(1): >>45669312 #
mdhb ◴[22 Oct 25 14:00 UTC] No.45669312[source]
Just to be super clear.. using this in place of something like WireGuard is absolutely not an improvement. It’s actively worse in the majority of scenarios assuming you can manage to secure your keys.
replies(2): >>45669572 #>>45671802 #
1. slightwinder ◴[22 Oct 25 14:20 UTC] No.45669572[source]
Yes, of course, should this just be an optional gadget for a setup, which is already as safe as possible for the situation. After all, when the port has been opened, your setup is also open for attacks. The knockers purpose is to reduce the timeframe of when your system is accessible for attackers.